Comments on: Symantec picks away at Vista's core

In third report on Windows Vista security, Symantec lauds Microsoft's work but finds flaws. Redmond says it's old news.

[n3td3v]

re: vista's core

i've got those de ja vu blues http://news.com.com/5208-1016-0.html?forumID=1&threadID=19921&messageID=170623&start=-1
:)

[Jerry Dawson]

Anybody else spot this?

"Also, an attacker could disable a mechanism to block unsigned driver software to run on Vista PCs by "patching" core operating system files"

There are plenty of unsigned drivers around, I suspect because Microsoft charge a fee of some sort. Is this yet another attempt to leverage the market?

[Gayle Edwards]

Actually, that was our first thought...

When we had to "Disable driver-signing", just in order to load the Microsoft-recommended "Anti-Virus" software. And, while reading the "command-line" instructions at Microsofts web-site, also read the statement that being able to disable "driver signing" would ONLY function in "Vista Beta", NOT the "final-release version", we became VERY concerned that this WOULD allow all manner of abuses, and forcible revenue-extraction, by Microsoft.

From a "security" standpoint, simply being required to re-log-in, specifically as an "admin", and then take very-specific-actions, to load "un-signed" software would quite reasonably-preserve system-integrity, without robbing computer-owners, and third-party product-producers, of their basic freedoms.

I think Microsofts action, regarding controlling "unsigned" software is far too heavy-handed and, based upon the decades of abuses by Microsoft, is very worrisome.

And, more to the point, many industry-analysts, consumer-watchdogs, and computer-product developers, have begun saying-so, too.

[Mr. Network]

Signed drivers

Microsoft distributes strict guidlines that manufactures must follow if they wish to have thier driver approved, then the driver must be submitted to Microsoft for testing. If all works out ok, it becomes approved and depending on the company the driver is added into the installation similar to how you find plug n' play support for most hp printers and linksys network cards.

Generic devices produced by non-brand name companies typically don't have signed drivers because it costs more to make something right than it does to make something that works.

Through group policy un-signed drivers can already be configured as unusable. Just more work for your friendly neighborhood network admin.

[john55440]

Now, if Symantec would only...

Now, if Symantec would only analyze and fix their own boated, buggy, software...

[thedreaming]

Are they fighting?

Is it just me or is Symantec angry at Microsoft? Lately they seem to be concentrating on making vista's security seem flawed. Is Symantec creating a vista only product to enhance or replace Microsoft's own security?

Symantec's products have their share of problems too. Everyone remember last week's news when one of their products kept telling people that a piece of software used by clergy to make sermons was actually spyware and should be deleted, so they did and then the program stopped working!

HA! That was funny! They had to patch the program and apologize!

[john55440]

Are they fighting?

>Is it just me or is Symantec angry at Microsoft?<

It looks that way, due to the introduction of Microsoft Windows Live OneCare.

BTW, PC Magazine hates OneCare, calling the antispyware function "not effective in testing."

Shame on Microsoft, again. <sigh>

[bogerl]

You are so right!

You are so right! Even if they're justified, seeing Symantec criticize Microsoft is just hilarious, given the quality of their own product. If Microsoft is really using that much of Symantec's tech---even if it were licensed---I'm that much less likely to upgrade to Vista, simply because Symantec's own software is so unimpressive. The term "streamlined" is obviously something that neither of these companies will ever grasp.

[bogerl]

whoops John55440

That should have been a reply to John55440's comment, but I'm a moron and replied to the story. Sigh.

[cjooss]

MS does not make $ for signed drivers

The tools to sign drivers are free.

You can pay any trusted authority to provide a certificate chain to validate a driver signature, or (if you wish to do so) you may establish your own trusted authority.

Companies who provide certificate or identity validation (think: verisign) are the ones who get paid to validate driver signatures, not Microsoft.

Signing a driver, once your certificates and trusted roots are in place, takes no more effort than compiling- in fact, all it requires is an additional argument be given to the compiler.

The value this provides is immense: it guarantees the user that the code is what it says it is- that is, it's the binary that was built by the specified vendor and not someone else's file. This allows you to know before running it that it's backed by a real, accountable entity and not some hax0r.

Moving forward, the likely direction security will go is away from the 'look for bad binaries and block them' method, toward the 'only run known good ones' method. We're moving in this direction today with drivers because by their nature they have high permissions. In the future, expect some sort of control like this to occur for programs as well.